Re-imagine-Risk-Strategies-for-Success-IT-Internal-Audit-Conference-Highlights-Autumn-2011-secured

| 2

I-4 Advanced Persistent Threats: Stage 1 Good Practice Report

Re-imagine Risk Strategies for Success IT Internal Audit Conference Highlights Autumn 2011

kpmg.co.uk/technologyriskconsulting

OUGH SINCE 2008. THE FUTURE DOES

FOR ORGANISATIONS THROUGHOUT THE PRIVATE AND PUBLIC SECTORS LIFE’S BEENTT OUGH SINCE 2008. THE FUTURE DOES NOT SHOW ANY SIGN OF IMPROVING EITHER, WITH CONTINUED ECONOMIC UNCERTAINTY FEEDING ALMOST RECORD-BREAKING LEVELS OF UNEMPLOYMENT; SOCIAL UNREST IN THE SHAPE OF OCCUPY LONDON AND UK UNCUT; CENTRAL BANKS PUMPING MONEY INTO THE GLOBAL FINANCIAL SYSTEM AND A SIGNIFICANT DOWNTURN IN CONSUMER CONFIDENCE.

© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

RISK IS TODAY’S REALITY INTRODUCTION Senior decision-makers working in the Financial Services sector are contending with a tidal wave of regulatory demands in the shape of Solvency II, FATCA, Basel III, Dodd-Frank, RDR and Living Wills and, all the while, doing so against a rising trend in major cost effi ciency drives and the emergence of technology fuelled social networks that promote openness over data security.

Senior Executives working across commercial and public service organisations are wrestling with data leakage issues, social networks, cyber threats, disruptive technologies and major organisational change. These of course present a number of risks but, for forward-thinking IT internal audit professionals, opportunities too.

THE GROWING WAVE Technology is growing at an unprecedented rate. PC sales hit the one billion mark almost a decade ago according to Gartner, who also forecast that the second billion mark will be reached sometime in 2014. However, this rate of growth is matched – and according to some – outstripped by the way technological use is changing. The explosion in smartphone and tablet sales; the widespread adoption of social networks as an everyday form of communication and the increasing implementation of cloud services are breaking down old certainties. This is especially apparent in the commercial world, where traditional means of safeguarding data and technology are becoming obsolete.

For IT internal auditors this presents a number of challenges in protecting their organisations and clients against fi nancial and reputational losses – and in helping them construct a clearer insight into governance, risk and compliance strategies.

STRATEGIES FOR SUCCESS IT INTERNAL AUDIT CONFERENCE 3


of what KPMG terms the IT Risk Universe looking at mature internal controls and change management programmes. However, there is increasing focus from boards and clients on new and emerging risks, in areas like social media, cyber crime, and disruptive technologies.

It is in helping boards understand and manage these risks where IT internal auditors can really add value to their organisations.

Social networks and personal deviclike smartphones and tablets have crossed the commercial frontier thanks to the phenomenal wave of consumerisation, led by Apple and Samsung. Indeed, according to prereports1, tablets are expected to sel60 percent as many units as PCs in just three years time. Individuals noview them as a key tool for work anthe line between home and offi ce use; and the way we communicate with colleagues, professional networks, clients and friends, has blurred – which is why businesses must adapt and re-evaluate the waythey consider risk.

While the risks of unsecured personal computing brought into the heart of commercial operationsdo not need to be spelled out, it should not be forgotten that social networks, smartphones and other innovative technologies also offer huge opportunities.

A DIFFERENT VIEW So while organisations need to continue to adapt to exploit the business opportunities afforded by technology it is the responsibility of IT internal audit leaders to help them look at the risks involved in a different way; helping them turn it to their advantage. Most IT internal audit teams spend most of their time in the quadrant

es

ss l

w d

INTRODUCTION continued

4 STRATEGIES FOR SUCCESS IT INTERNAL AUDIT CONFERENCE

© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member fi rm of the KPMG network of independent member firms af fi liated with KPMG International Cooperative, a Swiss entity. All rights reserved.

MULTIPLE RISKS There are a number of IT risk areas:

• Social networks which are changing the relationship between users and technology, and the way businesses and organisations protect their IT systems.

• Cyber threats that are multiplying and which come from a variety of sources including organised crime, state-sponsored groups and hacktivists.

• Disruptive technologies that if misread have the potential to fundamentally change marketplaces and leave once dominant players next to worthless.

In this white paper we explore these risks in more detail and, in doing so, show how IT internal auditors can be in the driving seat when it comes to keeping their organisations ahead of the curve. Executive boards are often all too aware of the possibilities of new technologies, and the risks. However, there is a greater need to understand their organisation’s risk profi le and appetite for risk, in order to develop a sound risk strategy that is aligned to key business priorities. Some leading boards insist on IT risk briefi ngs as a matter of course. By proactively seeking out and analysing such dangers, IT internal auditors have the opportunity to play a key role in protecting their organisations and underscoring their value.

Stephen Bonner, Partner, Information Protection, +44(0)20 7694 1644, [email protected]

Martin Jordan, Head of Cyber Response, Information Protection, +44(0)20 7311 1000, [email protected]

If you would like to attend similar events in the future, then please contact charmaine.servado@ kpmg.co.uk

Adam Bates, Partner, UK Head of Risk Consulting, +44(0)20 73113934, [email protected]

SOURCE: 1 http://www.guardian.co.uk/technology/2011/sep/22/tablet-forecast-gartner-ipad

http://www.guardian.co.uk/technology/2011/sep/22/tablet-forecast-gartner-ipad

mailto:[email protected]



5STRATEGIES FOR SUCCESS IT INTERNAL AUDIT CONFERENCE

CONTENTS

GETTING SOCIAL

CYBER THREAT

DISRUPTIVE TECHNOLOGIES

CONCLUSION


O ONE ANALYST THERE ARE 50

SOCIAL NETWORKING HAS RECORDED INCREDIBLE GROWTH PATTERNS WITH ITS POPULARITY ENCOMPASSING ALL SOCIAL CLASSES. IT IS NOT RESTRICTED TO THE YOUNG EITHER, WITH INCREASING NUMBERS OF BABY BOOMERS EMBRACING THE TECHNOLOGY – IN THE US 2 THE NUMBER OF OVER 50S USING SOCIAL MEDIA NEARLY DOUBLED IN ONE YEAR. IT IS ALSO CROSSING BORDERS. ACCORDING TT O ONE ANALYST THERE ARE 50 MILLION USERS OF SOCIAL MEDIA IN INDIA, WHO SPEND MORE TIME ON THESE NETWORKS THAN ON ANY OTHER ONLINE ACTIVITY. Presented by Stephen Bonner, Partner, Information Protection, +44(0)20 7694 1644, [email protected]

SECTION

SOURCE: 2 http://www.pewinternet.org/Reports/2010/Older -Adults -and -Social -Media/Report.aspx 6 STRATEGIES FOR SUCCESS IT INTERNAL AUDIT CONFERENCE


GETTING SOCIAL



01 GETTING SOCIAL

OPEN FOR BUSINESS Businesses have been quick to recognise the benefi ts of social media, especially around marketing and customer service. One international airline recently undertook a 24-hour campaign that promised live responses within an hour to any tweets, Facebook posts or messages to Hyves – a Netherland’s-based social network. A worldwide IT fi rm is using social networking to boost internal collaboration, while a US broadcaster is using Facebook to give viewers exclusive content about a new show.

Social networking is also a valuable recruitment tool, with 533 percent of companies admitting to using it to research and profi le potential

employees. LinkedIn4 – with its stated 135 million global members – is also proving a valuable hunting ground for recruitment and HR teams looking to capture talent.

Social media is also a mine of customer information. Location, gender and language are all areas that some data companies can analyse, but they can also dig much deeper, looking for responses governing sentiment and infl uence.

SOURCE: 3 This stat came from http://www.careerbuilder.co.uk/UK/share/aboutus/pressreleasesdetail.aspx?id=pr28&sd=1%2f13%2f2010 &ed=12%2f31%2f2010&siteid=cbpr&sc_cmp1=cb_pr28_

4 http://press.linkedin.com/about



OPEN ALL HOURS Social media is built on immediacy and openness and therein lies the risk. It was not designed for the commercial world and neither are many of the devices that people use to access it. Governments discovered the fact early on; the US experienced untold reputational damage when pictures of the abuses carried out at Abu Ghraib went viral and, as can be seen during the Arab Spring, the authorities have failed to keep a lid on video imagery of state brutality. In some cases it may be possible to exercise some kind of control over the online fl ow in and out of countries, but it remains diffi cult to stop people from posting content on social forums.

In the commercial world the results of poor controls for devices and social networks are legion.

• In September of this year one US broadcaster had its twitter account hacked with fake reports sent out about an attack at Ground Zero.

• An Australian bank found that a hacker had infi ltrated its social network channel and had been contacting customers for account information.

Accidental error is also a risk. Unlike more traditional forms of marketing, with their well-established approval procedures, posting to a social network can be done in seconds. A leading telco found this to its cost recently and had to apologise for an inappropriate message originating from a member of staff.

There is also the chimera of anonymity that the entire online experience has fostered.

Anyone with a computer, smartphone and broadband connection can post content under any personality and name they wish, however, as history shows things will leak.

A third risk is an increase in consumer power. There was a time when companies could pretty much guarantee they would emerge victorious from a dispute with an individual member of the public. However, social networks can transform a small dispute, into a major and possibly catastrophic public relations disaster.

• When one customer found that an airline would not reimburse him for a guitar it had broken, he wrote a song and fi lmed a video, which he posted on YouTube. The exercise was a PR disaster for the airline and the video has been viewed 11 million times.

WHAT CAN BE DONE? • Establish a governance group that includes all

departments using social networking for a more balanced view.

• Create policies that cover customer privacy; responsible network use, copyright and stress the care employees should exercise when posting personal information or pictures.

• Create an inventory of every social network currently in use across your organisation, including sector -specifi c and function -specifi c sites.

• Regularly test your organisation’s social networks to ensure they are safe and not delivering bad links or malware to your audiences.

• Establish a thorough records management system that can log the name of the person posting to a social network and the content uploaded.

• Develop a comprehensive plan that details how to respond to a mistaken or rogue posting, or a social networking campaign against your organisation.

• Invest in a multi -lingual monitoring service to look at social network fl ows across multiple countries.

• Build a local community through transparency and honesty that will listen to your position in the case of any allegations. A media company’s social networks were fl ooded with supportive comments when its nature programme was accused of faking footage.



MALWARE ATTACKS HAVE BEEN ON THE UPWARD CURVE SINCE THE WIDE ADOPTION OF HOME COMPUTERS AND 2011 SHOWS A SIMILAR TREND. IN THE ‘GLOBAL SURVEY OF SOCIAL MEDIA RISKS’, CONDUCTED BY THE PONEMON INSTITUTE, OCTOBER 2011, 52 PERCENT OF ORGANISATIONS STATED THAT AN INCREASE IN MALWARE ATTACKS WERE A DIRECT RESULT OF EMPLOYEE USE OF SOCIAL MEDIA. Presented by Martin Jordan, Head of Cyber Response, Information Protection,+44(0)20 7311 1000, [email protected]



SECTION

CYBER THREAT



02 CYBER THREAT



Cyber attacks are now seen widespread across the media, infi ltrating our personal as well as professional lives. For example, burglars are making use of social networks to plan raids, especially twitter and Facebook where people post their whereabouts and holiday news – and as such announce that they are not at home. A computer virus has even affected the computer systems at Creech Air Force base in Nevada, where pilots from the US Air Force remotely fl y drones in Afghanistan.

Commercial anti-virus and data protection vendor Sophos says that it catches 95,000 pieces of malware every day, double the number on the previous year. Vendors like Sophos and others are always playing catch-up and readily admit they are involved in a continuing and never-ending battle with hackers for supremacy.

Hacking now is primarily carried out by three groups:

• Organised criminal gangs

• State-sponsored organisations

• Hacktivists.

For organised crime the rewards are huge, with a recent attack netting one

gang US$13m in just one-day. Gangs like the Russian Business Network, which offer technology and hosting services to criminals around the world are well documented, as are the almost non-existent consequences of getting caught. Early 2011 a 27-yearold male received fi ve-months probation, despite pleading guilty to a US$10m fraud that involved hacking into a bank and stealing credit card and PIN details, which he and his gang then cloned onto new cards and used at ATMs.

State-sponsored cyber attacks are becoming more frequent and more complex. Norway recently revealed that oil, gas and defence firms across the country had been hit by a series of sophisticated attacks that stole industrial secrets and information on contracts.

During the 2008 war between Russia and Georgia, Moscow was widely suspected of being behind various cyber attacks against its neighbour, while the US Government has offi cially designated cyberspace a warfare domain, alongside land, sea, air and space. In October 2011 year, computers in the Japanese Parliament were infected with a virus

“ For organised crime the rewards are huge, with a recent attack netting one gang US$13m in just one-day.”

designed to steal passwords and other information, with the attack traced back to a server in China.

Hacktivism has been on the rise over the last couple of years, with groups like Lulzsec and Anonymous making headlines for attacks on a disparate range of victims including government media and fi nancial services. While Hacktivism is in many cases a loose-collection of like-minded individuals – Anonymous for instance has no leaders or structure – they do tend to share an ideology, which of late has been painted as anti-capitalist.

SIMPLE WEAPON Cyber attacks come in many shapes and sizes: social engineering, infected websites, phishing and spam to name just a few, but in one case the weapon comes from within organisations’ themselves.

Public documents, such as downloadable PDFs, can reveal a great deal about the inner workings of an organisation’s IT infrastructure, with the metadata recording who created it, their user name, the software version they used and even the name of the last printer they accessed.

WHAT CAN BE DONE? Putting in place a coherent, well -resourced strategy involving a specialist vendor of anti -malware and data protection technology is of course on top of the list, closely followed by a comprehensive usage policy. However, there are also a number of additional, day -to -day precautions that is worth taking on board.

• Assess what information about your organisation is publicly available on the web, including names, structures, fi nancials and partnerships. Then put in place a policy to minimise the corporate information you may not want made public.

• Put in place a process whereby all metadata is cleansed from public documents as a matter of policy.

• Patch every computer within your organisation – not just the web -facing ones – as attacks are often written to exploit known weaknesses in computer code. In some cases, it’s not just computers that are at risk either, but other machines including printers.

• Put in place a plan that details the responses to every possible cyber attack.

• Educate all users – from mailroom to boardroom – in sensible web and email behaviour.



DISRUPTIVETECHNOLOGIES

TECHNOLOGY RISK IS NOT JUST ABOUT

SECURITY ATTACKS AND THE PREVENTION OF CYBER ATTACKS. THE EMERGENCE OF NEW TECHNOLOGIES AND USER BEHAVIOUR CAN SOUND THE DEATH KNELL FOR COMPANIES WHO FAIL TO SEE WHERE IT MIGHT LEAD. Presented by Adam Bates, Partner, UK Head of Risk Consulting, +44(0)20 73113934, [email protected]



SECTION


DISRUPTIVE TECHNOLOGIES


03 DISRUPTIVE TECHNOLOGIES



WHERE THE FUTURE LIES Company survival now is far less certain than it has ever been. In 1937 the average time a company spent in the S&P 500 was 75 years, in 2011 that has dropped to 15 years and by 2025 it is predicted to be just five years5. As we have seen with some organisations, being an alumnus of the index is no guarantee of survival.

It is an example that presents a salutary lesson to executives on how technology can disrupt their businesses to the point of potential extinction. Similar examples have occurred in a range of industries including retail, telecoms, music and computing and will be seen in more industries as technology enables changes in their business models. What’s also apparent is that we’re at the start of this technology wave; developments will only get faster and the risks more pronounced.

Disruptive technology has no respect for borders or sectors; executives should not be fooled into thinking that their business is safe because their immediate markets are unaffected. All threats begin life over the horizon and it is the job of IT internal audit to ensure their organisation maintains a sharp view of ongoing technological developments.

Examples of possible disruptive technology are everywhere. In Kenya M-Pesa is a microfinance system that allows individuals without bank accounts – which accounts for 77 percent of the adult population – to undertake basic banking functions from specialist kiosks and mobile phones. It is operated by a Vodafone affiliate and completely bypasses the traditional banking structure, with 14 million users and year-end revenue growth rates of 56 percent. Other countries have also begun working on their own systems, which begs the question how will the banking industry react when – and not if – this technology begins encroaching on more established markets?

Nanotechnology and additive manufacturing (3D printing) are further sources of disruption where emerging technologies could seriously impact the healthcare and pharmaceutical market and make existing players more vulnerable. It might sound like something straight out of Star Trek, but researchers are already using 3D printing to produce human organs and muscles for research. While the mass production of living human tissue is years away, at some point in the future it may be a fact of life, and will have a signifi cant impact on companies who manufacture kidney dialyses machines, and even insurance companies will need to factor in increased life expectancy.

DISRUPTING THE DISRUPTORS... WHAT CAN BE DONE?

Disruptive technology is not just a risk, but an opportunity too. Telematics for instance is increasingly being used by the insurance industry as a way of targeting young drivers who have been priced off the road by excessive premiums. By monitoring how safely an individual drives – for example whether they are avoiding driving when dark – a tailored premium can be provided. These companies are showing how new technologies can be harnessed to drive revenues and business.

Harnessing technology to enhance rather than disrupt your organisation cannot be the preserve of one team as it crosses multiple disciplines such as R&D, marketing, sales and business strategy. IT internal audit professionals can encourage their boards to bring together cross -functional teams to maintain an up -to -date analysis of the market.

• Undertake regular horizon scanning of your sector and any related industries, including trade media, individual blogs and social media.

• Begin research on potential competitors sooner rather than later. Be aware that new competitors could come from non -traditional sources.

• When dealing with new technology take the time to really understand its potential benefi ts and pitfalls. Ensure the opportunities and risks of being an early adopter of the technology, a fast follower or doing nothing are understood, when planning or reviewing strategy.

• Ensure the agenda is not dominated by a small group of enthusiasts who could skew the discussion. Involve a wide range of relevant stakeholders.

• Keep in mind that computer performance doubles approximately every two years, with that in mind, fi ve and ten -year plans will always be out of date.



CONCLUSION

04

So, are the executives in your organisation sleepwalking into the future – unaware that there are technological risks that can literally kill their business?

Technology is of course a great enabler and presents a myriad of business opportunities. Over a billion of the world’s population uses a social network6, almost one-inseven of the world’s total population7

, with social networking revenues reaching almost $15bn in 2012 according to Gartner8. The growth in smartphones and tablets has seen methods of network interaction change, with obvious dangers to commercial infrastructure that now cannot rely solely on firewalls and anti-virus software to protect itself.

The cyber threat remains real – the barbarians are always at the gate and their technological resources are greater than that of the average organisation.

Finally, there are technologies under development that have the ability to significantly impact your organisation, however market-entrenched and successful it is at the moment.

The message is clear, technological risk must become a regular boardroom issue, on a par with finance reporting, regulatory issues and strategic direction. Indeed, it must become embedded within your organisation’s strategy.

IT internal auditors stake a claim in this space if they put in place now the processes to give them proactive visibility of not just current trends, but technology that hasn’t been invented yet. It’s now easier than ever through organisations like TED to discover ideas that could change your organisation’s world, even if they sound far-fetched at the moment. Research9 is already showing email use dropping among 12 to 17-year-olds, which of course

will alter the digital communication strategies of those organisations looking at the horizon. In fact it’s happening already, with French IT services company Atos announcing that it intends to ban staff from using internal email and turn to instant messaging and social networking technologies instead10.

Information and Technology risk management isn’t just about security and regulatory compliance. We need to shift our focus in the IT Risk Universe away from the mature controls and change management programmes and processes we take comfort in, and re-imagine IT risk. How organisations leverage technology will determine financial viability, performance and outcomes. KPMG can help you make difficult decisions with greater confidence. Our Technology Risk Consulting team takes a forward view of our client’s business and de-risks the impact of change, unlocking value and building confidence.

SOURCE: 5 The Economist, April 16, 2011 6 http://www.strategyanalytics.com/default.aspx?mod=reportabstractviewer&a0=6818 7 http://esa.un.org/unpd/wpp/Excel-Data/population.htm 8 http://www.gartner.com/it/page.jsp?id=1820015 9 http://www.comscore.com/Press_Events/Press_Releases/2011/1/Web-based_Email_ Shows_Signs_of_Decline_in_the_U.S._While_Mobile_Email_Usage_on_the_Rise

10 http://www.telegraph.co.uk/technology/news/8921033/Staff-to-be-banned-from-sendingemails.html



http://www.telegraph.co.uk/technology/news/8921033/Staff-to-be-banned-from-sending

http://www.comscore.com/Press_Events/Press_Releases/2011/1/Web-based_Email

http://www.gartner.com/it/page.jsp?id=1820015

http://esa.un.org/unpd/wpp/Excel-Data/population.htm

http://www.strategyanalytics.com/default.aspx?mod=reportabstractviewer&a0=6818

CONTACTS Financial Services

Jon Dowie, Partner, Technology Risk Consulting T +44 (0)20 7311 5295 E [email protected]

Michael Elysee, Partner, Technology Risk Consulting T +44 (0)20 7311 5429 E [email protected]

Ameet Sharma Director, IT Internal Audit T +44 (0)20 7694 4073 E [email protected]

Corporates

Gerry Penfold, Partner, Technology Risk Consulting T +44 (0)20 7311 8489 E [email protected]

Mohammed Rahman, Partner, Technology Risk Consulting T +44 (0)121 232 3301 E [email protected]

Andrew Shefford Director, IT Internal Audit T +44 (0)20 7694 5507 E [email protected]

Public Sector

Keith Bannister, Partner and UK Head of Technology Risk Consulting T +44 (0)20 7311 6558 E [email protected]

David Timms Senior Manager, IT Internal Audit T +44 (0)20 7311 6618 E [email protected]











ABOUT KPMG KPMG’s Technology Risk Consulting practice brings together specialists with skills focussed on the Information and Technology Risk agenda. We have member practices of over 3,500 professionals advising clients across all markets and geographies of the technology and data risks they face. We are part of KPMG’s global network of over 140,000 professionals in 150 countries.

We help clients to identify, prevent and remediate Information and Technology failures and ensure systems are fit for the future. KPMG firms’ independent advice and advanced technology capabilities help our clients manage their technology risks and use their data to its full potential.

• We bring technology risk awareness to the boardroom

• We provide insight from data and help to embed genuine technology risk management into organisations

• Our tailored services are designed to keep information assets secure, systems functioning and controls operating effectively

For more information visit www.kpmg.co.uk/technologyriskconsulting

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. Printed in the United Kingdom.

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

www.kpmg.co.uk RR Donnelley I RRD264567 I February 2012 I Printed on recycled material.

http://www.kpmg.co.uk

Documents

Re-imagine-Risk-Strategies-for-Success-IT-Internal-Audit-Conference-Highlights-Autumn-2011-secured